Encryption , Privacy , Technology

The U.S. Justice Department's appeal of a court order that the government can't compel Apple to unlock an iPhone used by an accused drug dealer is significant because it sets in motion a process that could lead to a Supreme Court ruling on whether mobile device makers must give law enforcement a backdoor to circumvent encryption.

See Also: Rethinking Endpoint Security

Congress, meanwhile, is exploring whether an elusive legislative compromise can be found to give law enforcement or intelligence agencies access to critical evidence hidden on locked devices while safeguarding the security and privacy of individuals who use those devices. But don't expect Congress to act before the courts, and don't expect a resolution of the matter anytime soon.

On March 7, the Justice Department argued in filing its appeal that a federal magistrate in Brooklyn, N.Y., erred when he refused to order Apple to unlock the drug dealer's iPhone (see Apple Wins Legal Round Over Unlocking a 2nd iPhone ).

"Apple is not being asked to do anything it does not currently have the capability to do," federal prosecutors said in their filing. "Apple has used that capability dozens of times, in response to lawful court orders like the one sought here, with no claim that doing so put customer data or privacy in harm's way."

Differing Opinions from 2 Magistrates

Magistrate James Orenstein in New York on Feb. 29 said the government's interpretation of a 1789 law called the All Writs Act was too broad, noting that Apple isn't doing anything to prevent the government from unlocking the iPhone. In a similar case, Magistrate Sheri Pym in California approved a DoJ order, citing the All Writs Act, to require Apple to help the FBI crack open the iPhone of the San Bernardino shoot, who killed 14 people. Apple is appealing Pym's order (see Apple, FBI Draw Lines in Crypto Battle).

As both cases navigate through the appellate process, the ultimate arbiter could be the Supreme Court, but any decision could be years away. "The courts are slow to act on current legal matters that are impacting the area of security and privacy as it takes time to flesh out these matters," says cybersecurity lawyer Chris Pierson, CISO at invoicing and payments provider Viewpost.

Congress is getting into the act. The leaders of the Senate Intelligence Committee, Republican Richard Burr of North Carolina and Democrat Dianne Feinstein of California, are drafting a bill to require companies to comply with court orders to decrypt data and crack passwords.

U.S. lawmakers aren't alone in seeking to compel vendors to decrypt data under certain circumstances. French parliamentary deputies, defying government wishes, last week voted in favor of penalizing smartphone makers who fail to cooperate in terrorism inquiries, according to the French news service Agence France Presse.

Commission on a Mission

House Homeland Security Chairman Michael McCaul, R-Texas, and Senate Intelligence Committee member Mark Warner, D-Va., propose that Congress create a bipartisan commission of experts from the tech industry, intelligence community and privacy advocacy groups to identify a compromise.

But in the coming months, expect theatrics from Congress, not legislating.

"You've got Congress in a position where, yes, you'll see a lot of theater and it will be exciting and dramatic, but no congressman is going to want to enter an election year saying 'I voted for terrorism'," James Lewis, a cybersecurity expert at the think tank Center for Strategic and International Studies, says in a Steptoe Cyberlaw Podcast. "And, that's how it will be spun, so this will never come to a vote."

The idea of the commission arose even before the latest dispute between Apple and the government. But the commission is doomed to fail because a compromise is all but unimaginable. "There is no solution; get over it," podcast host Stewart Baker, former Department of Homeland Security assistant secretary for policy and National Security Agency general counsel, advises lawmakers.

What If Apple Keeps the Phone?

The idea that comes closest to a potential compromise is offered by security expert Martin Libicki of the think tank Rand, who suggests: "What about if Apple breaks the phone, keeps the phone and just hands over the data? Then, no one (except Apple) will be the wiser about how it was done? (Not that I'm advocating as much because there are other issues such as privacy, but ... )"

Apple would likely rebuff Libicki's idea. Apple CEO Tim Cook has said it's unacceptable to have the U.S. government ask "us for something we simply do not have, and something we consider too dangerous to create ... [building] a backdoor to the iPhone."

The main argument against requiring Apple to create a backdoor is that once done, others - criminals, terrorists and nation-state adversaries - could exploit it. "I cannot build an access mechanism that only works in the presence of a certain legal document, or only for a person who receives a paycheck from a certain agency, or only for a citizen of a certain country," cryptographer and cybersecurity author Bruce Schneier says. "By definition, technical access mechanisms can be used by anyone."

Hundreds of Foreign-Made Encryption Tools

Even if the U.S. government requires vendors decrypt their devices under court order, the bad guys can still use foreign-made encryption products beyond the jurisdiction of American authorities. Schneier last month in his blog identified 412 encryption products made outside the U.S. that are readily available for use.

Still, some security experts express faith that the best and brightest from government and industry can find that enigmatic compromise. "Don't give up on the creative energies of people of good will in law enforcement and the tech industry," says Bruce McConnell, global vice president of the think tank EastWest Institute and a former senior cybersecurity policymaker at DHS.

But I cannot envision how such a compromise would look. Can you?

Messaging , Technology

Email security is a growing worry, despite the fact that phishing attacks and spam have been around for decades, says Vidur Apparao, CTO of Agari. The urgency of improving email security is a big reason why DMARC - the Domain-based Message Authentication, Reporting & Conformance initiative - is gaining ground as a viable way to shore up email defenses, he adds.

See Also: Stop Fraud, Not Customers: Focus On Good User Experience

During an interview at RSA Conference 2016, Apparao discusses:

Apparao is the chief technology officer of Agari.

Encryption , Mobility , Privacy

In a filing rebutting Apple's appeal of a court order requiring the company to help the FBI unlock the iPhone used by a shooter in the San Bernardino massacre, the Justice Department says Apple's rhetoric is "false" and "corrosive" to the institution that safeguards Americans' liberties and rights.

See Also: Rethinking Endpoint Security

"The rule of law does not repose that power in a single corporation, no matter how successful it has been in selling its products," the Justice Department said in a 35-page motion filed March 10 with the U.S. District Court for the Central District of California.

DOJ, in its filing, says its request that Apple help the FBI to unlock the iPhone is a modest one that allows Apple to choose the least burdensome means to comply. It's a narrow, targeted order that will produce a narrow, targeted piece of software capable of running on just one iPhone in the security of Apple's headquarters, the DOJ argues.

A senior law enforcement official, speaking at a DOJ briefing March 10, accused Apple of creating a diversion by saying the case is not about a single iPhone and trying to alarm the court with issues of network security, encryption, backdoors and privacy, invoking larger debates before Congress and in the news media (see Apple, FBI Battle Before House Judiciary Committee).

"Apple deliberately raised technological barriers that now stand before a lawful warrant and an iPhone containing evidence related to a terrorist mass murder of 14 Americans," the senior law enforcement official said. "Apple, alone, can remove those barriers so the FBI can search the phone. They can do so without undue burden. Under those specific circumstances, Apple can be compelled to give aid. That is not lawless tyranny; rather it's ordered liberty vindicating the rule of law."

Apple Responds

Apple General Counsel Bruce Sewel says the tone of the government brief reads "like an indictment," adding that in his 30 years as a lawyer he had never "seen a legal brief that was more intended to smear the other side with false accusations and innuendo," according to media reports of a Thursday conference call with reporters.

Sewell said a number of the government's charges were groundless, including one that suggests that Apple's relationship with the Chinese government is different from ones with other countries. Government lawyers, he said, are "so desperate at this point that it has thrown all decorum to the winds."

The government, in its filing, says: " Apple appears to have made special accommodations in China as well: for example, moving Chinese user data to Chinese government servers, and installing a different WiFi protocol for Chinese iPhones. ... Such accommodations provide Apple with access to a huge, and growing, market."

U.S. Magistrate Judge Sheri Pym on Feb. 16 ordered Apple to assist the FBI by updating the iPhone to disable security features designed to wipe its memory or slow passcode entry to block brute-force attacks. Pym issued her order using the All Writs Act of 1789, which gives a judge the ability to issue court orders for matters not covered under current law (see Apple, FBI Draw Lines in Crypto Battle).

Focus on a Single iPhone

The Justice Department has framed its request as being limited to only unlocking a single phone: an iPhone 5C issued to Calif.-based Rizwan Farook, 29, by his employer, San Bernardino County. Farook and his wife Tashfeen Malik, 29, attacked Farook's work colleagues in a December shooting spree that left 14 people dead and 22 wounded. The government has also cited a legal precedent, recently noted by George Washington University law professor Orin Kerr, that it can force a suspect to help it crack an encryption scheme, in the form of the 1807 treason trial of Aaron Burr, when his clerk was compelled to decrypt a letter.

Year when the US Govt first tried (and succeeded) forcing 3rd party to help crack suspect's encryption scheme: 1807, in the Aaron Burr case.

In an impassioned Feb. 17 letter, Apple CEO Tim Cook said that Apple would fight the "dangerous" court order. "We have no sympathy for terrorists," he said. "But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."

Citing Supreme Court decisions, the DOJ reiterated earlier arguments that it can use the All Writs Act to compel Apple to comply with the court order. Apple, however, has argued that the All Writs Act would subvert Congressional powers.

Apple contends creating special software to help circumvent the iPhone's password protection would also be burdensome, a point the government dismisses. The filing cites Apple as asserting it would take six to 10 employees two to four weeks to develop new code in order to carry out the court's order. "Even taking Apple at its word, this is not an undue burden, especially given Apple's vast resources and the government's willingness to find reasonable compromises and provide reasonable reimbursement," the filing says.

Disarming a Booby Trap

One argument advanced by Apple and its supporters in the technology community is that if it creates a password workaround to gain access to the iPhone, the code could get into the hands of potential hackers, stolen by spies, or taken to another firm by the engineers who worked on the project.

But the government attempts to dismiss this point. The filing says Apple needn't share the code with the government, adding that the company has shown it's capable of protecting code that could compromise its security.

"Even if criminals, terrorists and hackers somehow infiltrated Apple and stole the software necessary to unlock Farook's iPhone, the only thing that software could be used to do is unlock Farook's iPhone," the filing said. "Far from being a master key, the software simply disarms a booby trap affixed to one door: Farook's."

Security, Crypto Experts Respond

Some security experts, however, have questioned the government's claim that it's not trying to set a precedent with this new case, or that it's only about one device. Indeed, as Nicholas Weaver, a researcher at the International Computer Science Institute and the University of California at Berkeley, has noted, the entire U.S. legal system is based on precedent.

How can the DOJ with a straight face say this is only about the case at hand, in a court system which runs on precedent?

Cryptographer Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, likewise said the Justice Department is attempting to set a dangerous precedent that allows it to seize any code created by U.S. software developers, which in this case would be the cryptographic code that Apple uses to sign iOS updates, without which devices won't run the code. Alternately, the DOJ's filing warns, it will compel Apple's developers to write code that performs to the government's specifications - no matter the potential repercussions.

But many legal experts have said that attempting to compel developers to write code would likely violate their and Apple's First Amendment rights.

I miss the days when all we had to worry about was an infinite parade of software vulns. Governments commandeering signing keys is too much.

Meanwhile, iOS security expert Jonathan Ździarski said that DOJ would likely already have attempted to seize Apple's signing code and write the update itself, but that it likely lacks developers that possess the requisite - highly specialized - programming skills that would be required.

This is the only reason .gov hasn't seized Apple's signing keys: they admit they wouldn't know how to use them. pic.twitter.com/1Op5UkQAsq

Apple's appeal of Pym's order will be heard March 22. That's one day after Apple is expected to launch a new range of iPhones (see Report: Apple Building iPhone It Can't Hack).

Executive Editor Mathew Schwartz also contributed to this story, which has been updated.

Breach Response , Data Breach , DDoS

Credit card and other personal information was exposed in a data breach of Internet hosting provider Staminus Communications, which specializes in protection against distributed denial-of-service attacks. The company hosts the website of the Ku Klux Klan white supremacist group, which was also brought down.

See Also: Unlocking Software Innovation with Secure Data as a Service

Hackers reportedly brought down the website of Staminus Communications for about 20 hours on March 10, and as of late March 11 staminus.net was only partially restored. The Klan's website remained offline as of Friday evening Eastern time.

Staminus' home page on Friday featured a statement from CEO Mat Mahvi, but provided no links to other pages on its website. Attempts to access other Staminus pages using specific URLs failed.

"Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information and payment card data were exposed," Mahvi said in the statement. "It is important to note that we do not collect Social Security numbers or tax IDs."

Pilfered Data Reportedly Seen Online

A huge trove of data from Staminus appeared online, in a classic "hacker e-zine" format, according to Krebsonsecurity.com, which was the first to report on the incident. The page includes links to download databases reportedly stolen from Staminus and from Intreppid, another Staminus project that targets customers looking for protection against large DDoS attacks.

"The authors of this particular e-zine indicated that they seized control over most or all of Staminus' Internet routers and reset the devices to their factory settings," the Krebs report says. "They also accuse Staminus of 'using one root password for all the boxes,' and of storing customer credit card data in plain text, which is violation of payment card industry standards."

Overly Optimistic

Hours after the outage, Staminus posted overly optimistic Twitter posts promising service would be shortly restored.

Global services are now back online, ancillary services are currently being brought back online. We expect full service restoration soon.

Staminus says it had notified law enforcement, including the FBI, once it learned its website was breached. "While the investigation continues," Mahvi says, "we have and will continue to put additional measures into place to harden our security to help prevent a future attack."

Although the exposed passwords were protected with a cryptographic hash, Mahvi urges customers to change their passwords.

Staminus says it notified its payment processor and all card brands so that they could monitor for fraudulent activity. The company advises its customers to regularly check their credit and debit card statements to see whether any fraudulent or suspicious activities occurred.

Watch for updates on this developing story.

Anti-Malware , Risk Management , Technology

The FBI calls ransomware "a prevalent, increasing threat."

Chris Stangl, a section chief at the FBI's Cyber Division, tells The Wall Street Journal that the threat is compounded by the difficulty of arresting the cybercriminals involved.

See Also: Rethinking Endpoint Security

Although authorities are pursuing the perpetrators behind multiple campaigns, many of them are located in Eastern Europe, outside the reach of U.S. extradition agreements (see How Do We Catch Cybercrime Kingpins?).

At the same time, many organizations and individuals are apparently failing to follow related recommendations from security experts, including using anti-malware software, keeping up-to-date backups on disconnected media and never paying ransoms (see Ransomware: 7 Defensive Strategies).

The FBI's Internet Crime Complaint Center will soon release statistics reporting that in 2015, it received complaints relating to 2,453 ransomware incidents, with victims paying a total of more than $24 million, The Wall Street Journal reports. Of course, that only reveals a fraction of the true scale of ransomware infections - or ransom payments - because it's based solely on those who report related losses to the FBI. Still, the figure is a sharp increase from last year. From April to December 2014, 1,838 victims reported total losses of $23.8 million to the FBI. The rise in attacks also parallels what security experts say has been a surge in cybercrime profits, thanks, in part, to ransom payments (see I Believe in Cybercrime Unicorns ).

Ransomware, of course, is a global problem. Furthermore, such attacks aren't the province of any single criminal group. Indeed, cybercriminals can buy or subscribe to various ransomware packages - CryptoWall, CTB-Locker, Locky, TeslaCrypt, TorrentLocker - to forcibly encrypt victims' PCs and demand a payoff in exchange for the decryption key. Those waging attacks typically demand payment in bitcoins, making the money trail more difficult for law enforcement agencies to follow (see Tougher to Use Bitcoin for Crime?).

Servers, Macs Under Fire

More recently, attackers have also begun to target Apple OS X systems using natively built ransomware called KeRanger, although the BitTorrent software in which the malware was hidden was reportedly downloaded only about 6,000 times before the related campaign was disrupted. There are no signs - at least yet - that attackers are trying again.

Servers are also at risk. In fact, a new variant of CTB-Locker known as Onion Ransomware is designed to target servers, Kaspersky Lab security researcher Ido Naor says in a blog post. If the ransomware is successful, the related, automated attack infrastructure displays a $150 ransom demand to generate the decryption key, typically on a highly visible, public-facing Web page generated by the server. The demand doubles to $300 if the ransom isn't paid quickly.

So far, Naor says, related infections have been seen on more than 70 servers located in 10 countries, but mostly in the United States.

Paying Doesn't Pay

The FBI's Stangl said that the bureau doesn't recommend paying ransoms under any circumstances, although that advice only goes so far. "The FBI can't tell somebody not to pay the ransom. That is a business decision to make, period," he said. "If the business needs to operate, they need to do something."

Many victims apparently do pay. Raj Samani, the CTO for Europe, the Middle East and Africa for Intel Security, said that together with the Cyber Threat Alliance, his firm found that criminals who employed CryptoWall version 3 earned massive profits. "The amount of money they made was at least $325 million U.S. dollars, and we had to peel back 40 layers of obfuscation" to reach that "conservative" estimate, Samani said in an interview at this month's RSA Conference in San Francisco.

Immediately after the researchers published a related report on CryptoWall 3 last year, attackers pulled the plug on that version, releasing an updated version 4 that was designed to be harder to detect.

As that suggests, attackers are plowing at least some of their profits back into code development. "What we found was the level of investment has actually gone in directly to innovating the next version or iteration of ransomware," Samani said.

Ransomware Gets Targeted

Most ransomware attacks, Samani said, are shotgun affairs: Criminals attempt to infect as many systems as possible and set a ransom amount that seems calculated to maximize profits as well as victims' propensity to pay. Some versions of CryptoWall 3, for example, demanded $700 in bitcoins for U.S. victims and $500 from victims in Israel, Mexico and Russia.

Intel Security researchers Christiaan Beek and Andrew Furtak write in a blog post that in 2015, they spotted the first ransomware campaign that was designed to target a specific sector - in this case, the financial services industry in an unspecified country. In addition, they report, attackers have been adapting their ransomware to make it more difficult to detect, for example by leaving out some of the traditional components and having their attack code download it later.

New Defenses Thwart Easy Decryption

When ransomware gangs get busted, or whenever security researchers are able to crack the crypto they're using, authorities typically release the decryption keys or related tools to help victims. But the ransomware employed in the targeted attacks seen by Intel Security was designed to complicate any such scenario. Instead of using a single private key to encrypt all files on a system, the attackers designed their ransomware to encrypt every file using a unique key.

"Now, if you have 10,000 files, there's 10,000 keys," Samani said. "And if you've infected a million people, well, my math isn't very good, but that's a lot of keys."

Attackers also seem to be taking a greater interest in targeting organizations that will pay larger ransoms.

Multiple healthcare organizations, for example, have recently paid off their ransomware attackers. In interviews at the RSA Conference, several security experts said they expect such behavior to drive even more cybercrime gangs to target the healthcare sector because hospitals are earning a reputation for being relatively easy marks (see: Hollywood Hospital Pays Ransom to Unlock Data).

Cybersecurity , Data Breach , Risk Management

Presented by Novetta     60 Minutes     The 2014 Sony Pictures hack was one of the most shocking and significant cyber attacks against a U.S. commercial enterprise to date. The incident caused significant financial and reputational damage to Sony Pictures and its executives. Most importantly, it illustrated how little resistance a corporate enterprise is able to provide in the face of a capable and determined adversary with destructive intent. In Operation Blockbuster, a Novetta-led coalition, comprised of the Novetta's Threat Research & Interdiction Group (TRIG) and private industry partners, identified and interdicted the adversary behind the Sony Pictures attack. The coalition links this adversary - dubbed "the Lazarus Group" - to the repeated use of particular malware code and numerous malicious attacks against commercial, military and government targets, dating as far back as 2009. Join Novetta's Alison Goodrich and Gregory Sinclair as they recount details about Operation Blockbuster and discuss: How the Sony Pictures attack demonstrates that commercial enterprises are already living in a new era of cyber threats; How, through the reuse of code, including open-source code freely available on the Internet, attackers can generate new attack software with low resource investment, allowing attackers the ability to go after large targets despite constrained resources; and How collaborative action, similar to those taken by Operation Blockbuster, may be used to defend against cyber attackers. Novetta's analysis of the base set of malware revealed that common code libraries were used across multiple malware families. The Operation Blockbuster team used these libraries to generate signatures to detect additional malware samples, including more than 45 distinct malware families that fall under the Lazarus Group's domain. Novetta and industry partners worked together to understand and devise ways to degrade the malware toolset, eroding the group's ability to use these tools for further harm. As the work behind Operation Blockbuster continues, Novetta demonstrates organizations can and should should work collaboratively with partners not only to protect against attacks, but to fight back against attackers. You might also be interested in … Hackers Attack Web Hosting Firm